Author: Damian Perera
Date: 1/3/2026
Detection query: Written in SPL (Search Processing Language) for Splunk
index=* (EventCode=4104 OR EventCode=4103)
(ScriptBlockText="*Invoke-Expression*" OR
ScriptBlockText="*IEX*" OR
ScriptBlockText="*DownloadString*" OR
ScriptBlockText="*DownloadFile*" OR
ScriptBlockText="*Net.WebClient*" OR
ScriptBlockText="*Start-Process*" OR
ScriptBlockText="*-EncodedCommand*" OR
ScriptBlockText="*-enc*" OR
ScriptBlockText="*bypass*" OR
ScriptBlockText="*-nop*" OR
ScriptBlockText="*hidden*" OR
ScriptBlockText="*Invoke-Mimikatz*" OR
ScriptBlockText="*Invoke-ReflectivePEInjection*")
| table _time, host, user, ScriptBlockText
| sort -_time
Description:
This query detects the use of malicious powershell use on your system
Invoke-Expression: Runs a string as a command or expression
IEX: Alias for Invoke-Expression
DownloadString: Used in fileless attacks to download and execute scripts or payloads directly into memory without writing to disk first
Net.WebClient/DownloadFile: Used to download malicious payloads from the internet
Start-Process: Used in attack chains after downloading malicious payloads and to execute malware with specific parameters, launch processes with elevated privileges, run processes hidden from the user, and establish persistence or lateral movement
EncodedCommand: Used to obfuscate malicious Powershell commands and evade detection
-enc: Alias for EncodedCommand
bypass: Disables PowerShell’s execution policy, which would usually restrict running unsigned or untrusted scripts
-nop: Alias for -NoProfile, used to prevent PowerShell from loading user and system profile scripts at startup. Used to avoid logging, evade detection and ensure consistency (Malicious code runs without interference from profile configurations
Hidden: Prevents PowerShell windows from appearing on screen. Allows attackers stealth execution, reduce suspicion and enables fileless attacks
Invoke-Mimikatz: Invokes the Mimikatz credential dumping tool which allows extraction of plaintext passwords, NTLM hashes, Kerberos tickets, and other credentials directly from memory
Invoke-ReflectivePEInjection: Loads Windows Portable Executable files like DLLs and EXEs directly into memory without writing them to disk.
Use the following SIGMA rule to convert this query to your preferred query language:
title: Suspicious PowerShell ScriptBlock (Encoded, Download, IEX, Mimikatz, PE Injection)
id: a1b2c3d4-5e6f-7a89-b0c1-d2e3f4567890
status: experimental
description: |
Detects PowerShell script‑block logging events (EventCode 4103/4104) that contain
common malicious operators such as encoded commands, IEX, web‑client downloads,
hidden execution, or the execution of known post‑exploitation modules
(e.g., Invoke‑Mimikatz, Invoke‑ReflectivePEInjection). This rule is useful for
early detection of living‑off‑the‑land binaries (LOLBins) and credential‑dumping
attempts that leverage PowerShell.
author: Damian Perera
date: 01-03-2026
logsource:
product: windows
service: powershell
definition: 'PowerShell Script Block Logging (Event ID 4103) and Module Logging (Event ID 4104)'
detection:
selection_event:
EventID|contains:
- 4103
- 4104
selection_keywords:
ScriptBlockText|contains|all:
- '*Invoke-Expression*'
- '*IEX*'
- '*DownloadString*'
- '*DownloadFile*'
- '*Net.WebClient*'
- '*Start-Process*'
- '*-EncodedCommand*'
- '*-enc*'
- '*bypass*'
- '*-nop*'
- '*hidden*'
- '*Invoke-Mimikatz*'
- '*Invoke-ReflectivePEInjection*'
condition: selection_event and selection_keywords
fields:
- _time
- host
- user
- ScriptBlockText
falsepositives:
- Legitimate administrative scripts that use encoded commands or web‑client
downloads (e.g., software deployment, patching). Review context and source
before triggering.
level: high
tags:
- attack.execution
- attack.t1059.001 # Command and Scripting Interpreter: PowerShell
- attack.t1086 # PowerShell (legacy)
- attack.t1003.001 # OS Credential Dumping: LSASS Memory (for Invoke‑Mimikatz)
- attack.t1064 # Scripting (deprecated)
- attack.t1055.001 # Process Injection (Reflective PE Injection)
- attack.t1027 # Obfuscated/Stored Files (EncodedCommand, -enc)
- mitre
- sigma
